Inside Online Carding Courses Designed for Cybercriminals

Total Page:16

File Type:pdf, Size:1020Kb

Inside Online Carding Courses Designed for Cybercriminals Inside Online Carding Courses Designed for Cybercriminals Card fraud more sophisticated than ever, and what you can do about it Executive Summary Payment card fraud costs banks and merchants billions every year. As consumers spend more and more money online, the opportunities for fraud increase; experts project a loss of $24 billion to payment card fraud by the end of 2018.1 Payment card fraudsters do not operate in a vacuum, instead relying on a sophisticated ecosystem and support network that provides a wide range of credit card details, fraud tools and online tutorials. This paper looks at one recent online course designed for bad actors in order to shed light on the latest fraud tactics and tools, allowing consumers, merchants and credit card companies to better understand the threat and make it harder for the fraudsters. Table of Contents Executive Summary................................................................................................... 2 Payment card fraud is big business – and it’s getting even bigger....................... 3 Fraudsters are only one part of a broader ecosystem........................................... 4 Stage 1: Learn the latest techniques......................................................................... 6 Stage 2: Buy payment cards from a reputable site.................................................. 8 Stage 3: Commit payment card fraud and cash out................................................ 10 Fraudsters score big................................................................................................ 12 A knowledge of carding trends helps defenders and consumers too................. 13 Glossary.................................................................................................................... 14 End Notes..................................................................................................................14 2 Payment card fraud is big business – and it’s getting even bigger Payment card fraud has been around as long as the cards themselves, and there are two main approaches: physical card fraud and Card Not Present (CNP) fraud. Physical card fraud entails the cloning of payment cards, which are then used to make purchases. Despite its imperfections, recent research indicates that the increasing adoption of EMV has made physical card fraud more difficult, making CNP fraud more popular.2 CNP fraud occurs when the customer doesn’t physically present the card and uses card details online or over the phone. With consumers spending more and more with their credit cards online, it’s easy to see why CNP fraud is big business. One recent report claims that annual online card spending will double to $6 trillion by 2021.3 All of this offers more opportunities for cybercriminals to make money. This year, Europol coordinated an effort to disrupt an organized crime group that affected more than 130,000 payment cards, resulting in a loss of 8 million Euros. The criminal network established several fake online shops and a shell software company, allowing them to make illicit credit card transactions.4 This is just one technique used by carders; cybercriminals are continuously innovating and devising new techniques to bypass security controls developed by credit card companies and merchants. The combination of increased spending and criminal innovation contributes to a projected loss of $24 billion to credit card fraud in 2018.5 $24 Billion Projected loss to credit card fraud in 2018 Where do the carders learn and hone their skills? Well, just as consumers use online courses, so do cybercriminals. In order to understand carders’ latest tactics and tools, we are highlighting an online course from an exclusive Russian carding forum, complete with webinars, instructors and reading material. While tutorials and guides have existed for many years, the online course was on a scale and level of professionalism we have not seen before. We will glean insights from this course so that you can understand the carding ecosystem and the latest techniques used by cyber criminals. In doing so, you as a defender can learn what makes an attractive target, and what causes problems for cybercriminals. This is relevant for financial services organizations; but there are also implications for consumers, e-commerce, hotels, airlines, gaming and retail companies. As this paper will show, carding guides and courses are not a new phenomenon, but the professionalism, reputation and freshness of this course provides useful insights for organizations across a range of industries as well as consumers. 3 Fraudsters are only one part of a broader ecosystem Payment card fraudsters rarely operate by themselves, instead relying on a well-established ecosystem that provides them with payment card information, support services and ways to monetize the fraud. We have identified four key pillars of the carding ecosystem. 1. Payment Card Data Harvesters ‘Harvesters’ do the ‘dirty work’ in terms of harvesting payment card information. This is done through intercepting card holders’ information whether this be through point of sale malware, skimming devices, phishing, breached databases, or through operating botnets. With the control of botnets, criminals can gain access to individuals’ computers and steal their credit card information. In one recent case, a Russian criminal was sentenced to nine years in prison for operating several botnets that were used to steal credit card information. He claimed to have acquired 40,000 credit card details through this technique.6 Criminals who amass large amounts of fresh card details can quickly and easily sell these on to distributers and make good money. In the world of Netflix’s drama, Narcos, these would be the criminals making the goods. 2. Distributors Distributors are the ‘middle men’ who typically make the most money. While the criminals who harvest may use the card data themselves, they also sell it on to others who will package, repackage and sell the card information. This may be done privately or through specific sites that sell the card details, sites that Europol refers to as Automated Vending Carts (AVCs). Seleznev – also known as nCuz, Bulba and Track2 – was a prolific Russian cybercriminal and credit card thief, responsible for 3,700 financial institutions losing more than $169 million.7 Roman Seleznev ran many AVCs before being sentenced to 27 years in prison in April 2017. Criminals running AVCs have the potential to make a large amount of money with a low degree of risk. If the harvesters are the Narcos, the AVC owners are the distributors; reselling the product and taking their cut. 3. Payment Card Fraudsters Fraudsters are the ‘users’ who actually carry out the fraud, using card details to carry out fraudulent transactions to buy goods and services. These individuals run the most risk in terms of getting caught by law enforcement or being conned by fellow criminals. Once fraudsters have acquired payment card information from their distributor, the fraud can happen. These individuals tend to be less technical and attract a lower caliber of cybercriminal, often relying on online guides and courses to learn the latest techniques. There are many approaches to this, but it typically starts by purchasing online goods for consumption or resale. The fraudsters either keep the ill-gotten goods for themselves, or they are monetized by offering the same good for a much-reduced price, such as a luxury watch for 50% off. With the right knowledge and approach, fraudsters have the opportunity to make a significant amount of money, although the risk is higher. They are the ones who make the Narcos rich and fuel the industry; if they weren’t buying credit card details, the demand to drive harvest and distribution would be reduced. 4. Monetization There are many different roles within this stage, including those who have been duped into operating drop addresses and those involved in the reselling of fraudulently acquired goods. Purchasing goods with stolen payment cards can be useful, but the payment card fraudsters will need individuals to help them monetize (cash out) these fraudulent purchases. Cashing out is necessary in order to turn carding into a business. Those involved in the cashing-out process are not always aware they are committing a criminal act; a common approach is to have unwitting individuals working for a fictitious organization, reshipping fraudulently-purchased goods as a “Merchandise Manager” or “Junior Packing Coordinator.”8 4 These four areas are not mutually exclusive – a criminal might harvest the card data and commit the fraud. However, the maturity of the carding ecosystem allows actors to become more specialized. Although carding is comprised of these four key pillars, they also rely on many support services including network anonymity providers and reputation services. A great example of this specialization is fraud[.]cat, a service that allows fraudsters to determine the risk of using particular IP addresses (Figure 1). Figure 1: A screenshot of fraud[.]cat, an online service to check the risk score of IP addresses that are used for committing fraud The online course we will cover in this paper focuses on the payment card fraudsters across the three main stages: Buy payment Learn the latest Commit fraud cards from a techniques and cash out reputable site Figure 2: The 3-stage process for payment card fraudsters By understanding what causes these criminals friction at each stage, organizations and consumers can
Recommended publications
  • The Underground Economy.Pdf
    THE THE The seeds of cybercrime grow in the anonymized depths of the dark web – underground websites where the criminally minded meet to traffic in illegal products and services, develop contacts for jobs and commerce, and even socialize with friends. To better understand how cybercriminals operate today and what they might do in the future, Trustwave SpiderLabs researchers maintain a presence in some of the more prominent recesses of the online criminal underground. There, the team takes advantage of the very anonymity that makes the dark web unique, which allows them to discretely observe the habits of cyber swindlers. Some of the information the team has gathered revolves around the dark web’s intricate code of honor, reputation systems, job market, and techniques used by cybercriminals to hide their tracks from law enforcement. We’ve previously highlighted these findings in an extensive three-part series featured on the Trustwave SpiderLabs blog. But we’ve decided to consolidate and package this information in an informative e-book that gleans the most important information from that series, illustrating how the online criminal underground works. Knowledge is power in cybersecurity, and this serves as a weapon in the fight against cybercrime. THE Where Criminals Congregate Much like your everyday social individual, cyber swindlers convene on online forums and discussion platforms tailored to their interests. Most of the criminal activity conducted occurs on the dark web, a network of anonymized websites that uses services such as Tor to disguise the locations of servers and mask the identities of site operators and visitors. The most popular destination is the now-defunct Silk Road, which operated from 2011 until the arrest of its founder, Ross Ulbricht, in 2013.
    [Show full text]
  • Beware of These Common Scams
    Beware of these common scams Nigerian Scams People claiming to be officials, businessmen or surviving relatives of former government officials in countries around the world send countless offers via e-mail, attempting to convince consumers that they will transfer thousands of dollars into your bank account if you will just pay a fee or "taxes" to help them access their money. If you respond to the initial offer, you may receive documents that look "official." Unfortunately, you will get more e-mails asking you to send more money to cover transaction and transfer costs, attorney's fees, blank letterhead and your bank account numbers and other sensitive, personal information. Tech Support Scams A tech support person may call or email you and claim that they are from Windows, Microsoft or another software company. The person says your computer is running slow or has a virus and it’s sending out error messages. Scammers will ask you to visit a website that gives them remote access to your computer. If the caller obtains access they can steal personal information, usernames and passwords to commit identity theft or send spam messages. In some cases, the caller may even be asked for a wired payment or credit card information. Lottery Scams In foreign lottery scams, you receive an email claiming that you are the winner of a foreign lottery. All you need to do to claim your prize is send money to pay the taxes, insurance, or processing or customs fees. Sometimes, you will be asked to provide a bank account number so the funds can be deposited.
    [Show full text]
  • Shadowcrew Organization Called 'One-Stop Online Marketplace for Identity Theft'
    October 28, 2004 Department Of Justice CRM (202) 514-2007 TDD (202) 514-1888 WWW.USDOJ.GOV Nineteen Individuals Indicted in Internet 'Carding' Conspiracy Shadowcrew Organization Called 'One-Stop Online Marketplace for Identity Theft' WASHINGTON, D.C. - Attorney General John Ashcroft, Assistant Attorney General Christopher A. Wray of the Criminal Division, U.S. Attorney Christopher Christie of the District of New Jersey and United States Secret Service Director W. Ralph Basham today announced the indictment of 19 individuals who are alleged to have founded, moderated and operated "www.shadowcrew.com" -- one of the largest illegal online centers for trafficking in stolen identity information and documents, as well as stolen credit and debit card numbers. The 62-count indictment, returned by a federal grand jury in Newark, New Jersey today, alleges that the 19 individuals from across the United States and in several foreign countries conspired with others to operate "Shadowcrew," a website with approximately 4,000 members that was dedicated to facilitating malicious computer hacking and the dissemination of stolen credit card, debit card and bank account numbers and counterfeit identification documents, such as drivers' licenses, passports and Social Security cards. The indictment alleges a conspiracy to commit activity often referred to as "carding" -- the use of account numbers and counterfeit identity documents to complete identity theft and defraud banks and retailers. The indictment is a result of a year-long investigation undertaken by the United States Secret Service, working in cooperation with the U.S. Attorney's Office for the District of New Jersey, the Computer Crime and Intellectual Property Section of the Criminal Division of the Department of Justice, and other U.S.
    [Show full text]
  • Online Money Laundering Operations to Take Place
    Laundering Money Online: a review of cybercriminals’ methods Jean-Loup Richet Tools and Resources for Anti-Corruption Knowledge – June, 01, 2013 - United Nations Office on Drugs and Crime (UNODC). Executive Summary Money laundering is a critical step in the cyber crime process which is experiencing some changes as hackers and their criminal colleagues continually alter and optimize payment mechanisms. Conducting quantitative research on underground laundering activity poses an inherent challenge: Bad guys and their banks don’t share information on criminal pursuits. However, by analyzing forums, we have identified two growth areas in money laundering: Online gaming—Online role playing games provide an easy way for criminals to launder money. This frequently involves the opening of numerous different accounts on various online games to move money. Micro laundering—Cyber criminals are increasingly looking at micro laundering via sites like PayPal or, interestingly, using job advertising sites, to avoid detection. Moreover, as online and mobile micro-payment are interconnected with traditional payment services, funds can now be moved to or from a variety of payment methods, increasing the difficulty to apprehend money launderers. Micro laundering makes it possible to launder a large amount of money in small amounts through thousands of electronic transactions. One growing scenario: using virtual credit cards as an alternative to prepaid mobile cards; they could be funded with a scammed bank account – with instant transaction – and used as a foundation of a PayPal account that would be laundered through a micro-laundering scheme. Laundering Money Online: a review of cybercriminals’ methods Millions of transactions take place over the internet each day, and criminal organizations are taking advantage of this fact to launder illegally acquired funds through covert, anonymous online transactions.
    [Show full text]
  • Issues Confronting US Law Enforcement
    The Interplay of Borders, Turf, Cyberspace, and Jurisdiction: Issues Confronting U.S. Law Enforcement Updated January 17, 2013 Congressional Research Service https://crsreports.congress.gov R41927 The Interplay of Borders, Turf, Cyberspace, and Jurisdiction Summary Savvy criminals constantly develop new techniques to target U.S. persons, businesses, and interests. Individual criminals as well as broad criminal networks exploit geographic borders, criminal turf, cyberspace, and law enforcement jurisdiction to dodge law enforcement countermeasures. Further, the interplay of these realities can potentially encumber policing measures. In light of these interwoven realities, policy makers may question how to best design policies to help law enforcement combat ever-evolving criminal threats. Criminals routinely take advantage of geographic borders. They thrive on their ability to illicitly cross borders, subvert border security regimens, and provide illegal products or services. Many crimes—particularly those of a cyber nature—have become increasingly transnational. While criminals may operate across geographic borders and jurisdictional boundaries, law enforcement may not be able to do so with the same ease. Moreover, obstacles such as disparities between the legal regimens of nations (what is considered a crime in one country may not be in another) and differences in willingness to extradite suspected criminals can hamper prosecutions. The law enforcement community has, however, expanded its working relationships with both domestic and international agencies. Globalization and technological innovation have fostered the expansion of both legitimate and criminal operations across physical borders as well as throughout cyberspace. Advanced, rapid communication systems have made it easier for criminals to carry out their operations remotely from their victims and members of their illicit networks.
    [Show full text]
  • Understanding Online Carding Forums
    All Your Cards Are Belong To Us: Understanding Online Carding Forums Andreas Haslebacher, Jeremiah Onaolapo, and Gianluca Stringhini University College London [email protected] fj.onaolapo,[email protected] Abstract—Underground online forums are platforms that The sales volumes thus generated appear to be substantial. enable trades of illicit services and stolen goods. Carding forums, It is estimated, for example, that the closure of several credit in particular, are known for being focused on trading financial card related forums in 2012 prevented international fraud to the information. However, little evidence exists about the sellers that tune of £500 million [2]. It is therefore important to understand are present on active carding forums, the precise types of products the characteristics of these online forums and the activity of they advertise, and the prices that buyers pay. Existing literature cybercriminals using them. focuses mainly on the organisation and structure of the forums. Furthermore, studies on carding forums are usually based on literature review, expert interviews, or data from forums that The body of research into underground forums is growing have already been shut down. This paper provides first-of-its-kind but still limited. In particular, there are only a few studies avail- empirical evidence on active forums where stolen financial data is able about credit card related forums. These studies mainly traded. We monitored five out of 25 discovered forums, collected focus on the organisation and the structure of the forums posts from the forums over a three-month period, and analysed but less on the content itself, that is, the products traded them quantitatively and qualitatively.
    [Show full text]
  • The President's Identity Theft Task Force
    The President’s Identity Theft Task Force Combating IDENTITY THEFT A Strategic Plan April 2007 COMBATING IDENTITY THEFT A Strategic Plan Table of Contents Glossary of Acronyms .................................................................v Identity Theft Task Force Members ............................................... vii Letter to the President .............................................................. viii I. Executive Summary .............................................................. 1 A. Introduction .................................................................................. 1 B. The Strategy .................................................................................. 2 II. The Contours of the Identity Theft Problem ............................. 10 A. Prevalence and Costs of Identity Theft ......................................... 11 B. Identity Thieves: Who They Are .................................................. 12 C. How Identity Theft Happens: The Tools of the Trade ................... 13 D. What Identity Thieves Do With the Information They Steal: The Different Forms of Identity Theft ........................ 18 III. A Strategy to Combat Identity Theft ....................................... 22 A. Prevention: Keeping Consumer Data out of the Hands of Criminals ..................................................................... 22 1. Decreasing the Unnecessary Use of Social Security Numbers ........................................................ 23 2. Data Security in the Public Sector .........................................
    [Show full text]
  • Learn the Slang and Operational Techniques of Online Payment Fraudsters
    Fraudster Dictionary Learn the slang and operational techniques of online payment fraudsters 1 Table of Contents Intro 3 Real darknet stories - Wall Street Exit Scam 15 Step 1: Learn the language. Fullz 16 Dictionary. 4 MMN 16 MSCS 16 English Language Sphere Ripper 16 Spoofing 17 Altcoins 6 TOR 17 Anonymity Checker 6 VBV 17 Automatic Vending Cart (AVC) 6 AVS 7 Russian Language Sphere BIN 7 Bulletproof hosting 7 Вбив 19 Real darknet stories - Hosting servers Вещевой/Вещевуха 19 inside a military bunker 8 Дроп 19 Carding 9 Дропоwод 19 Cashout 9 Энрол 20 Cardable websites 9 Закладка 20 Credit card checkers 10 Кладсмен 20 Criminal forums 10 Pазогревать Шопa 20 Cryptocurrency mixer 11 Реролл 21 Darknet 11 Фулка 21 Darknet market (DNM) 11 чернухи 21 Darkweb 12 Dead fullz 12 Step 2: Learn techniques. DOB 13 Profiler. 22 Drop 13 Dump 13 Profiler Technology 23 Escrow service 14 Main Profiling Attributes 24 Exit scam 14 Intro Going up against online fraudsters is a tough battle. There isn’t one rule that can help you win it all, but there are certainly some crucial steps each fraud specialist should undertake. Anti-fraud tools are a “must-have’’, but a more sophisticated approach is to understand the behaviour and language of your opponent. However, 75% of fraud analysts admit that they do not research and collect evidence from the darkweb. We totally understand that. Digging through the darknet is a time-consuming job, and it’s hard to keep up with evolving criminal threats and technological advances. It’s also a risky activity.
    [Show full text]
  • I Was a Cybercrook for The
    I Was a Cybercrook for the FBI For 18 tense months, a computer-savvy grifter named David Thomas runs a thriving online crime hub for bank heists, identity theft and counterfeiting, with the FBI paying the bills. By Kim Zetter 02:00 AM Jan, 30, 2007 By the time David Thomas eased his Cadillac into the parking lot of an office complex in Issaquah, Washington, he already suspected the police were on to him. An empty Crown Victoria in one of the parking spaces confirmed it. "That's heat right there," he told his two passengers -- 29-year-old girlfriend Bridget Trevino, and his crime partner Kim Marvin Taylor, a balding, middle-aged master of fake identities he'd met on the internet. It was November 2002, and Thomas, then a 44-year-old Texan, was in Washington to collect more than $30,000 in merchandise that a Ukrainian known as "Big Buyer" ordered from Outpost.com with stolen credit card numbers. His job was to collect the goods from a mail drop, fence them on eBay and wire the money to Russia, pocketing 40 percent of the take before moving to another city to repeat the scam. But things didn't go as planned. Ignoring Thomas' suspicions, Taylor walked into the Meadow Creek Professional Center to collect the Outpost shipment, and found the cops waiting for him. Thomas and his girlfriend tried to escape in the Cadillac but were caught half a mile away. An ID badge that Taylor wore when he was arrested indicated that he worked for Microsoft.
    [Show full text]
  • Site Isolation: Process Separation for Web Sites Within the Browser
    Site Isolation: Process Separation for Web Sites within the Browser Charles Reis, Alexander Moshchuk, and Nasko Oskov, Google https://www.usenix.org/conference/usenixsecurity19/presentation/reis This paper is included in the Proceedings of the 28th USENIX Security Symposium. August 14–16, 2019 • Santa Clara, CA, USA 978-1-939133-06-9 Open access to the Proceedings of the 28th USENIX Security Symposium is sponsored by USENIX. Site Isolation: Process Separation for Web Sites within the Browser Charles Reis Alexander Moshchuk Nasko Oskov Google Google Google [email protected] [email protected] [email protected] Abstract ploitable targets of older browsers are disappearing from the web (e.g., Java Applets [64], Flash [1], NPAPI plugins [55]). Current production web browsers are multi-process but place As others have argued, it is clear that we need stronger iso- different web sites in the same renderer process, which is lation between security principals in the browser [23, 33, 53, not sufficient to mitigate threats present on the web today. 62, 63, 68], just as operating systems offer stronger isolation With the prevalence of private user data stored on web sites, between their own principals. We achieve this in a produc- the risk posed by compromised renderer processes, and the tion setting using Site Isolation in Google Chrome, introduc- advent of transient execution attacks like Spectre and Melt- ing OS process boundaries between web site principals. down that can leak data via microarchitectural state, it is no While Site Isolation was originally envisioned to mitigate longer safe to render documents from different web sites in exploits of bugs in the renderer process, the recent discov- the same process.
    [Show full text]
  • Carding” Reveals
    DATA BREACHES: WHAT THE UNDERGROUND WORLD OF “CARDING” REVEALS Kimberly Kiefer Peretti U.S. Department of Justice Computer Crime and Intellectual Property Section Forthcoming in Volume 25 of the Santa Clara Computer and High Technology Journal Data Breaches: What the Underground World of “Carding” Reveals Kimberly Kiefer Peretti1 “Cyber-crime has evolved significantly over the last two years, from dumpster diving and credit card skimming to full-fledged online bazaars full of stolen personal and financial information.”2 Brian Nagel, Assistant Director, U.S. Secret Service Individuals have been at risk of having their personal information stolen and used to commit identity-related crimes long before the emergence of the Internet. What the Information Age has changed, however, is the method by which identity thieves can access and exploit the personal information of others. One method in particular leaves hundreds of thousands, and in some cases tens of millions, of individuals at risk for identity theft: large scale data breaches by skilled hackers. In this method, criminals remotely access the computer systems of government agencies, universities, merchants, financial institutions, credit card companies, and data processors, and steal large volumes of personal information on individuals. Such large scale data breaches have revolutionized the identity theft landscape, in particular as it relates to fraud on existing accounts by use of compromised credit and debit card account information. Large scale data breaches would be of no more concern than small scale identity thefts if criminals were unable to quickly and widely distribute the stolen information for subsequent fraudulent use (assuming, of course, that the breach would be quickly detected).
    [Show full text]
  • CFET 2012 6Th International Conference on Cybercrime Forensics Education & Training
    CFET 2012 6th International Conference on Cybercrime Forensics Education & Training FUD and Blunder: Tracking PC Support Scams David Harley, ESET N. America Martijn Grooten, Virus Bulletin Craig Johnston, Independent Researcher Stephen Burn, Malwarebytes FUD and Blunder: Tracking PC Support Scams David Harley, ESET N. America Martijn Grooten, Virus Bulletin Craig Johnston, Independent Researcher Stephen Burn, Malwarebytes Abstract While the main driver of nearly all malware authoring nowadays is profit, fake security also undermines the credibility and effectiveness of the real security industry on many levels. • Threatened or actual legal action, spamming and quasi-legitimate blogs and articles asserting the legitimacy of dubious products and services • Marketing models that parody those used by the security industry • The ethically challenged, and sometimes essentially fraudulent selling-on of legitimate but free products and services Fake security products, supported by variations on Black Hat SEO and social media spam constitute a longstanding and well-documented area of cybercriminal activity. By comparison, lo-tech Windows support scams receive less attention, perhaps because they’re seen as primarily social engineering not really susceptible to a technical “anti-scammer” solution. Yet they’ve been a consistent source of fraudulent income for some time, and have quietly increased in sophistication. The increased volumes, sophistication and infrastructural complexity of cold-call support scams suggest that social engineering with minimal programmatic content has been as profitable as attacks based on the use of unequivocally malicious binaries: lo-tech attacks with hi-tech profits. These attacks have gone beyond the FUD and Blunder approach, from “Microsoft told us you have a virus” to technically more sophisticated hooks such as deliberate misrepresentation and misinterpretation of output from system utilities such as Event Viewer, Assoc, Prefetch, Inf and Task Manager.
    [Show full text]